CVE-2025-4603 Overview
The eMagicOne Store Manager for WooCommerce plugin for WordPress contains an arbitrary file deletion vulnerability due to insufficient file path validation in the delete_file() function. This vulnerability affects all versions up to, and including, 1.2.5. The flaw enables unauthenticated attackers to delete arbitrary files on the server, which can readily escalate to remote code execution when critical files such as wp-config.php are deleted.
The vulnerability is particularly dangerous in default configurations where the plugin's default credentials (1:1) remain unchanged, or in scenarios where an attacker has obtained valid credentials through other means.
Critical Impact
Unauthenticated attackers can delete arbitrary server files, potentially leading to complete site takeover through remote code execution when critical WordPress configuration files are removed.
Affected Products
- eMagicOne Store Manager for WooCommerce plugin for WordPress (versions ≤ 1.2.5)
- WordPress installations with the Store Manager Connector plugin enabled
- WooCommerce stores using the eMagicOne management interface
Discovery Timeline
- 2025-05-24 - CVE-2025-4603 published to NVD
- 2025-07-11 - Last updated in NVD database
Technical Details for CVE-2025-4603
Vulnerability Analysis
This vulnerability is classified under CWE-73 (External Control of File Name or Path), representing a critical path traversal flaw that allows attackers to manipulate file paths to access or delete files outside the intended directory structure.
The vulnerability exists in the delete_file() function within the plugin's codebase. The function fails to properly validate or sanitize the file path parameter before performing deletion operations. This lack of input validation allows attackers to supply specially crafted path strings containing directory traversal sequences (such as ../) to target files anywhere on the server filesystem that the web server process has permissions to delete.
The attack surface is significantly expanded by the plugin's default authentication mechanism. When installations retain the default credentials of 1:1, the vulnerability becomes exploitable by any unauthenticated attacker who can reach the WordPress installation over the network.
Root Cause
The root cause is insufficient file path validation in the delete_file() function located in the plugin's core classes. The function accepts user-supplied input for file paths without implementing proper sanitization or path canonicalization checks. This design flaw allows path traversal sequences to escape the intended upload or plugin directory, enabling attackers to reference and delete arbitrary files on the server filesystem.
Additionally, the use of weak default credentials (1:1) for the plugin's authentication mechanism compounds the severity by making the vulnerable endpoint accessible to unauthenticated attackers in default configurations.
Attack Vector
The attack is network-based and requires no user interaction, making it highly exploitable. An attacker can exploit this vulnerability by:
- Identifying WordPress installations with the vulnerable eMagicOne Store Manager connector plugin
- Authenticating using default credentials (1:1) or previously compromised credentials
- Sending a crafted request to the delete_file() function with a path traversal payload
- Targeting critical files such as wp-config.php for deletion
- Leveraging the resulting site misconfiguration to establish further access or execute code
When wp-config.php is deleted, WordPress enters its installation mode, allowing an attacker to reconfigure the site with their own database settings and effectively take complete control of the installation.
The vulnerability mechanism involves path traversal via the delete_file() function. The attacker supplies a manipulated file path containing directory traversal sequences that escape the intended directory scope. Technical details and proof-of-concept code are available in the GitHub PoC Repository and Ryan Kozak's CVE Analysis.
Detection Methods for CVE-2025-4603
Indicators of Compromise
- Unexpected deletion of critical WordPress files, particularly wp-config.php
- HTTP requests to plugin endpoints containing path traversal sequences (../) in file parameters
- Authentication attempts using default credentials (1:1) against the Store Manager connector
- WordPress site unexpectedly entering installation/setup mode
- Web server logs showing requests to /wp-content/plugins/store-manager-connector/ endpoints with suspicious parameters
Detection Strategies
- Monitor web application firewall (WAF) logs for path traversal patterns in requests to the Store Manager connector plugin
- Implement file integrity monitoring (FIM) on critical WordPress files including wp-config.php, .htaccess, and core WordPress files
- Configure alerts for authentication attempts to the Store Manager connector using known default credentials
- Review web server access logs for unusual DELETE operations or requests containing encoded traversal sequences
Monitoring Recommendations
- Deploy endpoint detection and response (EDR) solutions to monitor file deletion activities on WordPress hosting servers
- Enable comprehensive logging for all plugin API endpoints and correlate with SentinelOne behavioral analysis
- Implement real-time alerting for modifications or deletions to WordPress core configuration files
- Use SentinelOne's file integrity monitoring capabilities to detect unauthorized changes to critical application files
How to Mitigate CVE-2025-4603
Immediate Actions Required
- Update the eMagicOne Store Manager for WooCommerce plugin to a version newer than 1.2.5 immediately
- Change default plugin credentials from 1:1 to strong, unique credentials
- Audit existing WordPress installations for signs of exploitation
- Implement web application firewall rules to block path traversal attempts
- Consider temporarily disabling the plugin if an update is not immediately available
Patch Information
Users should update to the latest available version of the eMagicOne Store Manager for WooCommerce plugin that addresses this vulnerability. Check the Wordfence Vulnerability Report for current patch status and version recommendations.
The vulnerable code can be reviewed in the WordPress Plugin Code Review at the following locations:
- class-emosmconnectorcommon.php (Line 2167)
- class-emosmcwoocommerceoverrider.php (Line 380)
- smconnector.php (Lines 35-36)
Workarounds
- Immediately change the Store Manager connector credentials from the default 1:1 to a strong password combination
- Restrict network access to the WordPress admin and plugin endpoints using IP allowlisting
- Deploy WAF rules to block requests containing path traversal sequences targeting the plugin endpoints
- Temporarily deactivate the Store Manager Connector plugin until the patch can be applied
- Implement file permissions hardening to prevent the web server process from deleting critical WordPress files
# Configuration example - Restrict access to Store Manager connector endpoints via .htaccess
<FilesMatch "smconnector\.php">
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
Allow from 10.0.0.0/8
</FilesMatch>
# Alternative: Block path traversal patterns at web server level
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} \.\./ [NC,OR]
RewriteCond %{QUERY_STRING} \.\.%2f [NC]
RewriteRule ^wp-content/plugins/store-manager-connector/.* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
